What is a privacy notice?

A privacy notice is a document which helps your doctor’s surgery tell you how it uses information (also known as personal data) it has about you, such as your name, address, date of birth and all the notes the doctor or nurse make about you when you come to see us. It also tells you how we make sure your information is kept safe.

Why do we need one?

We want to make sure your personal data is safe and looked after, and that everybody at the Practice is following the laws which keep your information secure. These laws are called the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

Why do we collect information about you?

We help to look after your health. To do this, we collect and keep information about you such as your name, address and telephone number so that we know how we can contact you, the name of the person who will generally bring you to your appointments. Each time you visit, we will write down what you tell us, what your family shares about you, things we tell you and any medicines or treatments we give you; that way we can look back at what we have done to make sure we are treating you in the best way.

What do we do with it and how we keep it safe?

We keep the information we collect about you. This information is called your Health Record.

Anyone involved in your care at the Practice can see what has been collected. This helps us make the right decisions about your care when you are poorly. We might need to share this information with others, such as a hospital so the doctors and nurses there also have access to your information to treat you and help us keep you healthy.

We undergo training every year to make sure we know how to look after your data. Staff are only allowed to look at your information if they are involved in your care and must keep all your information safe. We are only allowed to give your information to authorised people

Who do we share your data with?

We may share the information we record about you with others involved in your care. We routinely share information with school nurses, but not directly with school unless it is important for them to know. We might need to share this information with other medical teams, such as hospitals, if you need to be seen by a special doctor or sent for an X-ray.

Your parents/guardians should get a copy of any letters sent by your doctor about your care. Some of you may decide that you do not want information being shared with your parents/guardians, we advise you to speak with a member of our team if you have any questions about this.

If you have a social worker, we will share it with them too. That way they are kept up to date on what we are doing for you.

We may have to share information with the police, the courts and other organisations and people who may have a legal right to see your information.

If you tell us something that makes us worried about your safety or the safety of someone else you know, we might have to share this with other people outside of the practice – even if you don’t want us to. This is part of our job to keep you and others safe.

Sometimes our surgery might be asked to take part in medical research that might help you or other people in the future. We will always ask you or your parent(s) or adult with parental responsibility if we can share your data.

What if you don’t want to share?

You can tell us that you don’t want to share your information. It is called ‘opting out’ and every patient has a right to do so. You can choose to opt out of sharing your confidential information for research and planning, it is called National Data Opt Out. There may still be times when your information is used, for example when there is risk to your health or the health of other people.

How long do we keep your information for?

We will keep a copy of your information in our Practice for as long as you are registered as a patient. If you leave the Practice, we will make sure that a copy of any information we hold about you is passed to your new GP so they can continue with your care. The practice must follow the NHS Records Management Code of Practice 2021. This is a document that tells us how long we can keep records for. Once the records have been kept for the time needed, they will be safely deleted/ destroyed.

Can I have a copy of my medical records?

Yes. You or your parent/guardian need to contact us to specify what information you would like to access. This could include a particular part of your medical record, an X-ray, or a report.

If your parent/guardian is making the request on your behalf, we will verify their identity to ensure that we share your information appropriately, and obtain your consent, if necessary

What are your rights over your personal data?

You have the following rights over your data we hold:

• You can see what information we have on you. Other people can ask on your behalf, however we will check they are who they say they are to make sure we are not sharing your information with anyone who should not see it.
• If there is anything incorrect in your record, you or someone on your behalf can ask us to correct it, including finding any missing information. However, the law says we cannot remove it, even if you ask us to.
• If we have asked for permission to share your information with someone, you or someone on your behalf can tell us that you have changed your mind. As soon as we are told, we will not share the information.
• If you would like to talk to us about not sharing your information, even if this means you do not want us to share your information with your parent(s) or adult with parental responsibility, please let us know. We will be happy to help

What if you have a question or if you are not happy with how we process your data?

If you have a question or if you are not happy about the way your information is managed, you can either email us on tudor.surgery.reception@nhs.net visit the Practice or call us on 01270 442133 and speak to a member of our staff who will be happy to talk to you and answer any questions or worries you might have. We will do our best to help you.

You can also ask your parent or adults with parental responsibility to speak to us on your behalf.  If you are still not happy after speaking with us, you can contact the Data Protection Officer (DPO) by email at dpo.healthcare@nhs.net or you can telephone the DPO team on 07946 593082.

If you are still not happy with the advice you have received you can contact an organisation called Information Commissioner’s Office (IC0) by visiting www.ico.org.uk and select ‘Raising Concern’ or call them on 03031231133.

Most problems can be sorted out quickly and easily, often at the time they arise with the person concerned and this may be the approach you try first.

If you are not able to resolve your complaint in this way and wish to make a formal complaint you should do so, in writing, as soon as possible after the event ideally within a few days as this helps us establish what happened more easily.

In any event, this should be within 12 months of the incident, giving as much detail as possible. If you are a registered patient you can complain about your own care. However, you are not allowed to complain about someone else’s treatment without their written authority.

We can provide you with a separate complaints form to register your complaint on behalf of someone else. Please ask as reception for the relevant forms.

Send your written complaint to:
Practice Manager, Tudor Surgery,
Church View Primary Care Centre,
Beam Street,
Nantwich,
Cheshire,
CW5 5NX

If you are dissatisfied with the outcome you have the right to approach the Health Service Ombudsman. The contact details are:
The Parliamentary and Health Service Ombudsman,
Millbank Tower,
Millbank,
London,
SW1P 4QP
Tel: 03450154033
Website: www.ombudsmman.org.uk

Alternatively you may wish to contact NHS England:

• by post to: NHS England, PO Box 16738, Redditch, B97 9PT

• by email to: england.contactus@nhs.net.

  • Please state: For the attention of the complaints team in the subject heading

• by telephone: 0300 311 22 33

Overview

1. The Practice takes the security and privacy of your data seriously. We need to gather and use information or ‘data’ about you as part of our business and to manage our relationship with you. We intend to comply with our legal obligations under the EU General Data Protection Regulation (“GDPR”) in respect of data privacy and security. We have a duty to notify you of the information contained in this policy.
2. This policy applies to current and former directors, Partners, employees, apprentices and consultants. If you fall into one of these categories then you are a ‘data subject’ for the purposes of this policy. You should read this policy alongside your contract of employment (or contract for services) and any other notice we issue to you from time to time in relation to your data.
3. The Practice has measures in place to protect the security of your data in accordance with our various data security policies. We will only hold data for as long as necessary for the purposes for which we collected it.
4. The Practice is a ‘data controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data.
5. This policy explains how the Practice will hold and process your information. It explains your rights as a data subject. It also explains your obligations when obtaining, handling, processing or storing personal data in the course of working for, or on behalf of, the Practice.
6. This policy does not form part of your contract of employment (or contract for services if relevant) and can be amended by the Practice at any time. It is intended that this policy is fully compliant with the GDPR and will be updated as required upon the enactment of the DPA. If any conflict arises between the law and this policy, the Practice intends to comply with the Law.

Data Protection Principles

Personal data must be processed in accordance with six ‘Data Protection Principles.’ It must:

• • be processed fairly, lawfully and transparently;
  • be collected and processed only for specified, explicit and legitimate purposes; · be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
  • be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
  • not be kept for longer than is necessary for the purposes for which it is processed; and · be processed securely.

We are accountable for these principles and must be able to show that we are compliant.

How we define personal data

‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data.

This policy applies to all personal data whether it is stored electronically or on paper.

This personal data might be provided to us by you, or someone else (such as a former employer, your doctor, or a credit reference agency), or it could be created by us. It could be provided or created during the recruitment process or during the course of the contract of employment (or services) or after its termination. It could be created by your manager or other colleagues.

We will collect and use the following types of personal data about you:

• • recruitment information such as your application form and CV, references, qualifications and membership of any professional bodies and details of any pre-employment assessments;
  • your contact details and date of birth; · the contact details for your emergency contacts;
  • your gender;
  • your marital status and family details;
  • information about your contract of employment (or services) including start and end dates of employment, role and location, working hours, details of promotion, salary (including details of previous remuneration), pension, benefits and holiday entitlement; · your bank details and information in relation to your tax status including your national insurance number;
  • your identification documents including passport and driving licence and information in relation to your immigration status and right to work for us;
  • information relating to disciplinary or grievance investigations and proceedings involving you (whether or not you were the main subject of those proceedings);
  • information relating to your performance and behaviour at work;
  • training records;
  • immunisation records if appropriate for your role;
  • your images (whether captured on CCTV, by photograph or video); · any other category of personal data which we may notify you of from time to time. How we define special categories of personal data

‘Special categories of personal data’ are types of personal data consisting of information as to:

• • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs; · trade union membership;
  • genetic or biometric data;
  • health;
  • sex life and sexual orientation; and
  • any criminal convictions and offences.

We may hold and use any of these special categories of your personal data in accordance with the law.

‘Processing’ means any operation which is performed on personal data such as:

• • collection, recording, organisation, structuring or storage;
  • adaption or alteration;
  • retrieval, consultation or use;
  • disclosure by transmission, dissemination or otherwise making available;
  • alignment or combination; and
  • restriction, destruction or erasure.

This includes processing personal data which forms part of a filing system and any automated processing.

How will we process your personal data?

The Practice will process your personal data (including special categories of personal data) in accordance with our obligations under the law.

We will use your personal data for:

• performing the contract of employment (or services) between us;
• complying with any legal obligation; or
• if it is necessary for our legitimate interests (or for the legitimate interests of someone else). However, we can only do this if your interests and rights do not override ours (or theirs). You have the right to challenge our legitimate interests and request that we stop this processing.

We can process your personal data for these purposes without your knowledge or consent. We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.

If you choose not to provide us with certain personal data you should be aware that we may not be able to carry out certain parts of the contract between us. For example, if you do not provide us with your bank account details we may not be able to pay you. It might also stop us from complying with certain legal obligations and duties which we have such as to pay the right amount of tax to HMRC or to make reasonable adjustments in relation to any disability you may suffer from.

Where your choice not to give us certain personal data means we are unable to comply with our legal obligations or the terms of our contract with you, we may be obliged to terminate your employment (or engagement).

Examples of when we might process your personal data

We have to process your personal data in various situations during your recruitment, employment (or engagement) and even following termination of your employment (or engagement).

For example, (and see below for the meaning of the asterisks): –

• to decide whether to employ (or engage) you;
• to decide how much to pay you, and the other terms of your contract with us;
• to check you have the legal right to work for us;
• to carry out the contract between us including where relevant, its termination;
• training you and reviewing your performance*;
• to decide whether to promote you;
• to decide whether and how to manage your performance, absence or conduct*;
• to carry out a disciplinary or grievance investigation or procedure in relation to you or someone else;
• to determine whether we need to make reasonable adjustments to your workplace or role because of your disability*;
• to monitor diversity and equal opportunities*;
• to monitor and protect the security (including network security) of the Practice, of you, our other staff, customers and others;
• to monitor and protect the health and safety of you, our other staff, customers and third parties*;
• to pay you and provide pension and other benefits in accordance with the contract between us*;
• paying tax and national insurance;
• to provide a reference upon request from another employer;
• monitoring compliance by you, us and others with our policies and our contractual obligations*;
• to comply with employment law, immigration law, health and safety law, tax law and other laws which affect us*;
• to answer questions from insurers in respect of any insurance policies which relate to you*;
• running our business and planning for the future;
• the prevention and detection of fraud or other criminal offences;
• to defend the Practice in respect of any investigation or litigation and to comply with any court or tribunal orders for disclosure*;
• for any other reason which we may notify you of from time to time.

We will only process special categories of your personal data (see above) in certain situations in accordance with the law. For example, we can do so if we have your explicit consent. If we asked for your consent to process a special category of personal data then we would explain the reasons for our request.

We do not need your consent to process special categories of your personal data when we are processing it for the following purposes, which we may do:

• where it is necessary for carrying out rights and obligations under employment law;
• where it is necessary to protect your vital interests or those of another person where you/they are physically or legally incapable of giving consent;
• where you have made the data public;
• where processing is necessary for the establishment, exercise or defence of legal claims; and Data Protection Policy Updated June 2022 5
• where processing is necessary for the purposes of occupational medicine or for the assessment of your working capacity.

If you have criminal convictions that are relevant to our employment of engagement of you, we will record this information for our own legitimate interests and to enable us to answer questions from our regulators and other entitled authorities.

We might process special categories of your personal data for the purposes set out in paragraph 23. In particular, we will use information in relation to:

• your race, ethnic origin, religion, sexual orientation or gender to monitor equal opportunities;
• your sickness absence, health and medical conditions to monitor your absence, assess your fitness for work, to pay you benefits, to comply with our legal obligations under employment law including to make reasonable adjustments and to look after your health and safety; and

We do not take automated decisions about you using your personal data or use profiling in relation to you.

Sharing your personal data

Sometimes we might share your personal data with group companies or our contractors and agents to carry out our obligations under our contract with you or for our legitimate interests.

We require those companies to keep your personal data confidential and secure and to protect it in accordance with the law and our policies. They are only permitted to process your data for the lawful purpose for which it has been shared and in accordance with our instructions.

The third parties we use who may hold personal data about you are:

• Payroll company
• Pension provider

We do not send your personal data outside the European Economic Area. If this changes you will be notified of this and the protections which are in place to protect the security of your data will be explained. Retention of staff information post-employment

After you have left the Practice, we will retain the information we hold about you for a period of six years to enable us to comply with our legal obligations in respect of, for example, HMRC and the Department of Work and Pensions. We will also retain it to enable us to deal with any issues that arise relating to your employment after you have left. This is in our own legitimate interests.

How should you process personal data for the Practice?

Everyone who works for, or on behalf of, the Practice has some responsibility for ensuring data is collected, stored and handled appropriately, in line with this policy and other data protection policies.

The Practice’s Data Protection Officer is Tara Moylan who is responsible for reviewing this policy and updating the Practice on data protection responsibilities and any risks in relation to the processing of data. You should direct any questions in relation to this policy or data protection to this person.

• You should only access personal data covered by this policy if you need it for the work you do for, or on behalf of, the Practice and only if you are authorised to do so.
• You should only use the data for the specified lawful purpose for which it was obtained.
• You should not share personal data informally.
• You should keep personal data secure and not share it with unauthorised people.
• You should regularly review and update personal data which you have to deal with for work. This includes telling us if your own contact details change.
• You should not make unnecessary copies of personal data and should keep, and dispose of, any copies securely.
• You should use strong passwords in accordance with our Data Security and Password Policy.
• Consideration should always be given to encrypting personal data before transmitting out to a recipient outside our Practice.
• Consider anonymising data or using separate keys/codes so that the data subject cannot be identified.
• Do not save personal data to your own personal computers or other devices.
• Personal data should never be transferred outside the European Economic Area except in compliance with the law and authorisation of the Data Protection Officer/Data Protection Manager.
• You should lock drawers and filing cabinets where possible. Do not leave paper with personal data lying about.
• You should not take personal data away from Practice’s premises without authorisation.
• Printed personal data should be shredded and disposed of securely when you have finished with it.
• You should ask for help from the Practice Manager if you are unsure about data protection or if you notice any areas of data protection or security we can improve upon.
• Any deliberate or negligent breach of this policy by you may result in disciplinary action being taken against you in accordance with our disciplinary procedure.
• It is a criminal offence to conceal or destroy personal data which is part of a subject access request (see below). This conduct would also amount to gross misconduct under our disciplinary procedure, which could result in your dismissal.

How to deal with data breaches

We have robust measures in place to minimise and prevent data breaches from taking place, including a Data Breach Policy and Data Breach Register. Should a breach of personal data occur (whether in respect of you or someone else) then we must take notes and keep evidence of that breach.

If the breach is likely to result in a risk to the rights and freedoms of individuals then we must also notify the Information Commissioner’s Office within 72 hours.

Subject access requests

Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information we hold about them. This request must be made in writing. If you receive such a request you should forward it immediately to the practice manager who will coordinate a response.

If you would like to make a SAR in relation to your own personal data you should make this in writing to the Data Protection Officer/Data Protection Manager. We must respond within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months.

There is no fee for making a SAR. However, if your request is manifestly unfounded or excessive we may charge a reasonable administrative fee or refuse to respond to your request.

• You have the right to information about what personal data we process, how and on what basis as set out in this policy.
• You have the right to access your own personal data by way of a subject access request (see above).
• You can correct any inaccuracies in your personal data. To do you should contact the Practice Manager.
• You have the right to request that we erase your personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected. To do so you should contact the Practice Manager.
• While you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing, you can apply for its use to be restricted while the application is made. To do so you should contact the Practice Manager.
• You have the right to object to data processing where we are relying on a legitimate interest to do so and you think that your rights and interests outweigh our own and you wish us to stop.
• You have the right to object if we process your personal data for the purposes of direct marketing.
• With some exceptions, you have the right not to be subjected to automated decision-making.
• You have the right to be notified of a data security breach concerning your personal data, unless the breach is trivial.

In most situations we will not rely on your consent as a lawful ground to process your data. If we do however request your consent to the processing of your personal data for a specific purpose, you have the right not to consent or to withdraw your consent later. To withdraw your consent, you should contact the Data Protection Officer.

You have the right to complain to the Information Commissioner. You can do this be contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk).

This website has further information on your rights and our obligations.

1. Introduction

This policy applies to:

• All practice employees
• Contractors under contract to the Practice
• Staff on work experience, honorary contracts, and those authorized to work on behalf of the Practice

It sets out the conduct expected from all staff directly employed by Tudor Surgery and for whom the Practice has legal responsibility.

This policy covers all clinical and non-clinical operational data held in any format, including (but not limited to):

• Administrative records (personnel, estates, financial, accounting, contracts, litigation, complaints)
• Electronic data (emails, databases)
• Data on digital devices (memory cards, portable storage)

This policy should be read alongside:

• Confidentiality and Data Protection Policy
• Information Security Policy
• Access to Health Records Policy
• Freedom of Information and Environmental Information Regulations Policy

2. Responsibilities

The policy aims to:

• Meet patients’ needs for high-quality, secure data processing
• Preserve and improve service quality
• Ensure compliance with national and international regulatory requirements

All staff must:

• Cooperate fully while maintaining confidentiality, integrity, and availability of patient and partner information
• Dispose of personal or sensitive data confidentially
• Keep appropriate records of their work and maintain security of all records

Tudor Surgery’s strategic commitments:

• Develop best practices for assessing and controlling data quality
• Continuously improve processes for collecting, maintaining, and recording data
• Communicate professionally and transparently with patients and partners
• Provide complete, accurate, accessible, and valid data in line with UK GDPR and Data Protection Act 2018
• Support staff professional development
• Monitor and manage data processes effectively
• Ensure confidentiality, integrity, and access to all physical and electronic data
• Conduct Data Protection Impact Assessments and apply risk-based measures
• Provide training on data processing and quality standards
• Investigate suspected or identified data breaches promptly
• Set clear data protection requirements for all employees and contractors

3. Legal Obligations and Standards

This policy is supported by:

• Records Management NHS Code of Practice 2021
• Data Protection Act 2018
• UK GDPR 2021 and General Data Protection Regulation 2016
• Access to Health Records Act 1990
• Freedom of Information Act 2000
• Common Law Duty of Confidentiality
• Equality Act 2010
• Human Rights Act 1998

4. Incident Reporting

All staff must report incidents where:

• Personal confidential information is missing or stolen
• Inappropriate access is suspected

Reports should be made to the Practice Manager for immediate investigation.

5. Equality and Diversity

The Practice ensures policies:

• Meet diverse needs without disadvantage
• Comply with Equality Act 2010 and Human Rights Act 1998
• Promote equal opportunities for all

No one should receive less favorable treatment based on:

• Age, disability, sex, gender reassignment, sexual orientation, marriage/civil partnership, race, religion/belief, pregnancy/maternity
• Gender identity, socio-economic status, immigration status

The Practice adheres to the Public-Sector Equality Duty (PSED) in all activities.

6. Due Regard

This policy supports PSED objectives to:

• Eliminate discrimination, harassment, victimization
• Advance equality of opportunity
• Foster good relations

7. Review and Monitoring

• The Practice Manager will monitor record quality regularly
• Managers will conduct periodic quality control checks
• Policy reviewed annually or sooner if legislation or standards change

How to make a Freedom of Information request and the practice’s obligations

Remember:
You cannot make a Freedom of Information request for your personal data. Speak to your practice about making a Subject Access Request for your personal data

Sharon Forrester-Wild:
GDPR Practitioner
Data Protection Officer

DPO queries: 01270 275217
DPO.healthcare@nhs.net

How to make a Freedom of Information (FOI) request

Anyone can make an FOI. You do not have to be a patient of the practice. Before you consider making an FOI, check that the information you wish to receive is not already available in the public domain, including the practice’s own website.

What should you include in an FOI request?

If you follow these three rules, you will increase your chances of receiving the requested information:

• Your real name – the practice may reject your request if they cannot confirm your identity.
• Contact details – include either your postal or email address so the practice can send you the information.
• Provide a clear and precise description of the information – generalised requests risk being rejected as it would cost too much to produce.

What you cannot ask for in an FOI

You cannot ask the practice to release your personal data under an FOI. If you wish to have a copy of your medical records, contact the practice and ask to make a Subject Access Request.

What your practice must do

Your FOI request will be reviewed by a senior member of the practice.

They will either:

• Arrange for the information to be gathered and supplied to you
• Contact you to discuss focusing your request
• Write to you to explain why your request has been refused
• Redirect you to the organisation who has the information.
• Inform you that the practice needs more time due to the nature of the request.

Whatever decision is made, the practice will contact you within 20 working days.

How to make a complaint

If you are not happy with the decision of the practice, contact the Practice Manager and request an internal review in the first instance. If you remain unsatisfied with the decision made by the practice and the subsequent internal review, you can complain to the Information Commissioner’s Office at www.ico.org.uk.

Contact Us

H Glover – Practice Manager
Tudor Surgery,
Church View PCC,
Beam Street,
Nantwich,
Cheshire,
CW5 5NX
01270 442133

Useful links:

• NHS Information Governance COVID Transparency Notices
• GPES Transparency notice
• Track & Trace Privacy Notice
• GP Connect
• Patient information
• Privacy Notice
• Control of patient information (COPI) notice
• How we use your information

Information Security Policy

Reviewed: June 2022
Reference: NHS Digital – Information Security Policy

1. Information Security Principles

The core principles of information security are to protect the following properties of information/data assets:

• Confidentiality (C) – Protect information/data from breaches, unauthorized disclosures, loss, or unauthorized viewing
• Integrity (I) – Ensure information/data is not modified without authorization
• Availability (A) – Maintain access to information/data by protecting it from disruption or denial of service attacks

Additional considerations:

• Reputation – Breaches of C, I, or A can result in reputational loss
• Aggregation Effect – Large volumes or associated data can increase confidentiality risks
• Patient Data – Breaches involving patient medical data have amplified impact

2. Terminology

3. Governance – Roles and Responsibilities

All Staff

• Responsible for protecting information assets
• Must act professionally and responsibly when conducting Tudor Surgery business
• Accountable for actions related to NHS and UK Government information systems
• Failure to comply may result in disciplinary action
• Annual mandatory training reinforces responsibilities

Senior Information Risk Owner (SIRO)

Dr Nadeem Rasul

Accountable for information risk within Tudor Surgery

• Advises on effectiveness of information risk management
• Ensures risks are managed per the Tudor Surgery Risk Management Policy

Information Governance Lead (IG Lead)

Dr Nadeem Rasul
Responsibilities include:

• Advising on information security and compliance
• Acting as central point of contact for information security
• Ensuring operational effectiveness of security controls
• Monitoring and coordinating the Information Security Management System
• Reporting to SIRO and relevant bodies
• Investigating potential and actual security breaches

Caldicott Guardian

Dr Nadeem Rasul

• Ensures implementation of Caldicott Principles and Data Security Standards for patient confidential data

Caldicott Principles

1. Justify the purpose(s) for using confidential information
2. Don’t use personal confidential data unless absolutely necessary
3. Use the minimum necessary personal confidential data
4. Access should be on a strict need-to-know basis
5. Everyone with access should understand their responsibilities
6. Comply with the law
7. Duty to share information can be as important as duty to protect confidentiality
8. Inform patients and service users about how their information is used

Data Protection Officer (DPO)

Sharon Forrester-Wild
Responsibilities include:

• Ensuring compliance with Data Protection Act, GDPR, FOI Act, and related regulations
• Providing expert advice and best practice guidance
• Acting as central contact point internally and externally (including ICO)
• Promoting awareness and transparency
• Managing subject access requests

Information Asset Owners

Likely IG Lead – Dr Nadeem Rasul
Responsibilities include:

• Understanding what information is held
• Tracking additions/removals
• Knowing how information moves
• Managing access and permissions

4. Supporting Policies

The Information Security Policy is supported by additional policies grouped into:

• Technical Security – Network security, patching, monitoring, secure configuration, legacy systems
• Operational Security – Data handling, mobile/remote working, disaster recovery, social media use
• Security Management – Incident response, asset management, auditing

Also supported by Physical and Personnel Security Policies.

5. Legislation

Tudor Surgery complies with all relevant UK and EU legislation, including:

• Data Protection Act 2018
• Freedom of Information Act 2000
• Health & Social Care (Safety & Quality) Act 2015
• Computer Misuse Act 1990
• GDPR 2016 & UK GDPR 2021

Audit

Audits will be conducted as part of the ongoing Tudor Surgery Audit Programme.
The Information Governance Lead is responsible for ensuring that appropriate evidence and records are provided to support these activities at least annually.

Review

This policy will be reviewed annually or sooner if required by changes in legislation or standards.

Next Review Due: June 2023

Key Roles

• Caldicott Guardian: Dr Nadeem Rasul
• Information Governance Lead: Dr Nadeem Rasul
• Data Protection Officer: Sharon Forrester-Wild

Organ Donation

From 20 May 2020, all adults in England will be considered to have agreed to be an organ and tissue donor when they die unless they recorded a decision not to donate or are in one of the excluded groups.

This is commonly referred to as an ‘opt out’ system. This means that if you have not confirmed whether you want to be an organ donor – either by recording a decision on the NHS Organ Donor Register or by speaking to friends or family – it will be considered that you agree to donate your organs when you die.

For further information please visit www.organdonation.nhs.uk or phone 0300 303 2094.

Summary Care Records

Your Summary Care Records are a summary of your medical records. You can either give consent or opt out from sharing your data.

Click here to fill out the ‘Opt Out’ form.

Introduction

The Law states that NHS organisations must give a person access to their personal health information, when it is requested. Therefore, a practice must have procedures in place to make access to the information easy and accessible.

There are several areas of legislation that allow the right of the individual to request such personal information are:

• The Access to Medical Reports Act 1988
• The Access to Health Records Act 1990
• The UK General Data Protection Regulation 2021 (UK GDPR)
• The Data Protection Act 2018 (DPA)

Patients requesting their own personal medical records will have their request dealt with under the provisions of the Data Protection Act 2018 and UK GDPR 2021.

Online patient access to services does not change the right that patients must request access to their medical records provided by the provisions of the Data Protection Act (DPA) and UK GDPR. The DPA principles and confidentiality requirements apply in the same way for online access as they do for paper copies of the record.

1. The Health Record:

   • A health record is any record which consists of information relating to the physical and/or mental health or condition of an individual made by a health professional in connection with the care of the individual. It can be recorded in a computerised form, in a manual form or a mixture of both.
   • Information covers expression of opinion about individuals as well as fact. Health records may include notes made during consultations and correspondence between health professionals, such as referral and discharge letters, results of tests and their interpretation, X-ray films, photographs, and tissue samples taken for diagnostic purposes. They may also include reports written for third parties, such as insurance companies.

2. Detailed Patient record Access includes:

   • The minimum specification described by NHS England in the patient online support and resources guide is:

• • • Demographic data i.e. name, address, age
    • Allergies and adverse reactions
    • Medication
    • Immunisations
    • Investigation results including numerical values and normal ranges
    • Problems/diagnoses
    • Procedure codes (medical and surgical) and codes in consultations (symptoms and signs)
    • Biological values (e.g. BP)
    • Codes showing referrals made or letters received
    • Other codes (ethnicity, QOF)

• • • • Prospective Detailed Coded Record will also include consultation free text and access to letters.

3. Medical Records Access – Staff Responsibility Practice Manager and Clinical Leads:

   • For the purposes of reviewing requests, the Practice Manager and a named Clinical Lead should ensure current data protection requirements are followed, (the DPO can offer advice and support, if required)
   • The main duties of these roles are explained below: Practice Manager or Deputy

• • • Verify of identity the patient
    • Process and co-ordinate the application · Contact the patient to explain the process
    • Review the medical records for third party information and redact information where consent has not been given Clinical Lead
    • Responsibility for reviewing the medical record and limiting or redacting sensitive and/or harmful information.
    • Overall responsibility for decision to allow access
    • The Clinical Lead will review the content of the medical record and ensure that sensitive or harmful data are not made available to the patient
    • The Clinical Lead can refuse the request for the reasons given below
    • The Clinical Lead will also check the record for quality, clarity of presentation, completeness, and accuracy.

4. Requests under the Data Protection Legislation:

   • The scope of the Data Protection law includes the right of patients to request information on their own medical records. Requests for information under this legislation can be:

• • • In writing, this includes letter or email
    • Verbal requests can be accepted where the individual is unable to put the request in writing or chooses not to. A record of what is requested should be recorded and a letter for approval by the patient sent out (this must be noted on the patient record)
    • SARs can also be submitted via social media, such as the practice Facebook page or Twitter
    • Be accompanied with appropriate proof of identity (verification documents)

• • The practice can ask a patient to complete an application form to support the Subject Access Request, although this is not a requirement. Suitably trained and authorised reception staff should ensure the application form has been completed correctly and verify identity. If an application form is used this must be completed and signed by the patient.
  • Where an information request has been previously fulfilled, the practice does not have to provide the same request again unless a reasonable time-period has elapsed. It is up to the administrative/Clinical Leads to ascertain what constitutes a reasonable time-period.

5. Detailed Coded Records Access – Application

• • Patients will be given a leaflet on the benefits and risks to Detailed Coded Access to Records (promotional links to leaflets can be found below)
  • On completion of an application form the administrative lead will review the application form and invite the patient into the practice to complete the following:
    • Identity Verification
    • Inform the patient of the benefits and potential risks to detailed coded access to records
    • Advice leaflet will be given to the patient and application process and timescales will be discussed.
  • The administrative lead will check the records for third party information and redact information where appropriate. If it is not possible to remove information the Clinical Lead should be consulted.
  • The Clinical Lead will review the content of the medical record and ensure that sensitive or harmful data are not made available to the patient.
  • The Clinical Lead may redact sensitive or harmful data if they consider it to be in the patients’ best interest.
  • The Clinical Lead can refuse the request for the reasons set out below.
  • The Clinical Lead will also check the record for quality, clarity of presentation, completeness, and accuracy.
  • If approved, the administrative lead will place an alert on the system to notify other members of staff that the patient has Detailed Coded Record access.
  • The completed application form should be scanned and attached to the patient’s record. The administrative lead will contact the patient to inform them of the outcome of the application, explain the next steps and provide any further information.

6. Identity Verification

• • Access to health records can only be granted when the patient’s identity has been verified. There are three ways of confirming patient identity:
    • Documentation (Forms of Identification)
    • Vouching
    • Vouching with confirmation of information held in the applicant’s records
  • All applications for access to health records will require formal identification through 2 forms of ID one of which must contain a photo. Acceptable documents include passports, photo driving licences and bank statements etc.
  • Where a patient may not have suitable photographic identification – vouching with confirmation of information held in the medical record can be considered. This should take place discreetly and ideally in the context of a planned appointment. It is extremely important that the questions posed do not incidentally disclose confidential information to the applicant before their identity is verified.
• Adult proxy access verification – Before the practice provides proxy access to an individual or individuals on behalf of a patient further checks must be taken:
  • There must be either the explicit informed consent of the patient, including their preference for the level of access to be given to the proxy, or some other legitimate justification for authorising proxy access without the patient’s consent
  • The identity of the individual who is asking for proxy access must be verified · The identity of the person giving consent for proxy access must also be verified. This will normally be the patient but may be someone else acting under a power of attorney or as a Court Appointed Deputy
  • When someone is applying for proxy access based on an enduring power of attorney, lasting power of attorney, or as a Court Appointed Deputy, their status should be verified by making an online check of the registers held by the Office of the Public Guardian
• Child proxy access verification – Before the practice provides parental proxy access to a child’s medical records the following checks must be made:
  • The identity of the individual(s) requesting access
  • That the identified person is named on the birth certificate of the child · In the case of a child judged to have capacity to consent, there must be the explicit informed consent of the child, including their preference for the level of access to be given to their parent Prospective access to patient records online
  • In Summer 2022, patients with online access to their medical records will be able to have access to their future full medical records, including free texts, letters, and documents once they have been reviewed and filed by the GP. This will not affect proxy access.
  • There will be limited legitimate reasons why access to prospective medical records will not be given or will be reduced and they are based on safeguarding. If the release of information is likely to cause serious harm to the physical or mental health of the patient or another individual, the GP is allowed to refuse or reduce access to prospective records; third party information may also not be disclosed if deemed necessary. On occasion, it may be necessary for a patient to be reviewed before access is granted, if access can be given without a risk of serious harm.

7. Third Party Information

• • A Patients record may contain confidential information that relates to a third person. This may be information from or about another person. It may be entered in the record intentionally or by accident. This does not include information about or provided by a third party that the patient would normally have access to, such as hospital letters.
  • All confidential third-party information must be removed or redacted. If this is not possible then access to the health records will be refused.

8. Denial or Limitation of Information

• • Access to any health records can be denied or limited. This decision will be made by the Practice Manager and Clinical Lead for the practice.
  • Access will be denied or limited where, in the reasonable opinion of the Clinical Lead, access to such information would not be in the patient’s best interests because it is likely to cause serious harm to:
    • The patient’s physical or mental health, or
    • The physical or mental health of any other person
    • The information includes a reference to any third party who has not consented to its disclosure
  • A reason for denial of information must be recorded in the medical records and where possible an appropriate an appointment will be made with the patient to explain the decision.
• When can a subject access request be refused?
  • The Practice can refuse a request where the request is ‘manifestly unfounded or excessive ‘or ‘repetitive’. The requester must be informed of the reason why within one month of the receipt of the request.
  • If the practice decides to apply this option advice MUST be sought from the practice Data Protection Officer, Sharon Forrester-Wild at DPO.healthcare@nhs.net or 01270 275217.

9. Timeframe for responding to requests

• • The Statutory timeframe has now been reduced to one month of receipt of the request, and in any event without delay. In Accordance with Article 12 of the UK GDPR 2021.
  • This can be extended by a further two months where requests are determined to be ‘complex’ or ‘numerous.
  • UK GDPR does not allow for a fee, so it must be provided free of charge. However, some charges can be made in the following circumstances:
    • where further copies are requested by the data subject,
    • or the request is manifestly unfounded, or excessive (definitions still required by the ICO) a reasonable fee based on the organisations administration costs may be charged

10. Proxy Access to Medical Records

• • Proxy access is when an individual other than the patient has access to an individual’s medical record on their behalf to assist in their care. Proxy access arises in both adults and children and is dealt with differently according to whether the patient has capacity or not.
  • The patient’s proxy should have their own login details to the patient’s record. If a patient wants to have more than one proxy, they should all have individual login details. In the current version of our electronic records system (EMIS Web) login details will be shared between the patient and the individual with proxy access.
  • Proxy access should not be granted where:
    • There is a risk to the security of the patient’s record by the person being considered for proxy access
    • The practice suspects Coercive behavior
    • The patient has previously expressed the wish not to grant proxy access to specific individuals should they lose capacity, either permanently or temporarily; this should be recorded in the patient’s record
    • The Clinical Lead assesses that it is not in the best interests of the patient and/or that there are reasons as detailed in Denial or Limitation of Information

11. Proxy Access in Adults (including those over 13 years of age) with capacity

• • Patients over the age 13 (under UK DPA 2018) are assumed to have mental capacity to consent to proxy access. Where a patient with capacity gives their consent, the application should be dealt with on the same basis as the patient.
  • In terms of online access, it may be possible to give the proxy different levels of access depending on the wishes of the patient and/or the views of the Clinical Lead, for example, some patients may want to allow a family member to have access only to book appointments and order repeat prescriptions without accessing the detailed care record.

12. Proxy Access in Adults (including those over 13 years of age) without capacity

• • Nursing/residential homes may be granted proxy access for patients under their care.
  • Proxy access without the consent of the patient may be granted in the following circumstances:
  • The patient has been assessed as lacking capacity to make a decision on granting proxy access and has registered the applicant as a lasting power of attorney for health and welfare with the Office of the Public Guardian.
  • The patient has been assessed as lacking capacity to make a decision on granting proxy access, and the applicant is acting as a Court Appointed Deputy on behalf of the patient The patient has been assessed as lacking capacity to make a decision on granting proxy access, and in accordance with the Mental Capacity Act 2005 code of practice, the Clinical Lead considers it in the patient’s best interests to grant access to the applicant.
  • When an adult patient has been assessed as lacking capacity and access is to be granted to a proxy acting in their best interests, it is the responsibility of the Clinical Lead to ensure that the level of access enabled, or information provided is necessary for the performance of the applicant’s duties.

13. Proxy Access in Children under the age of 11

• • All children under the age of 11 are assumed to lack capacity to consent to proxy access. Those with parental responsibility for the child can apply for proxy access to their children’s medical records.
  • Parents will apply for access through the same process outlined in Sections 4 and 5. Additional identification of parental /guardian evidence will be required (see Section 6)

14. Proxy Access in Children above the age of 11 and under 13 years of age

• • Access to medical records will need to be assessed on a case by case basis. Some children aged 11 to 13 have the capacity and understanding required for decision-making with regards to access to their medical records and should therefore be consulted and have their confidence respected
  • Online proxy access will automatically be turned off when a child reaches the age of 11. Online proxy access to the Detailed Coded Record of children aged 11 to 13 will not normally be approved unless it is in the best interests of the child or is the express wishes of a competent child
  • The Clinical Lead will invite the child for a confidential consultation to discuss the request for proxy access, whether this is for requests under the Data Protection Law or for online access
  • The Clinical Lead should use their professional judgement in deciding whether to grant parental access and/or whether to withhold information. If the practice suspects coercive behaviour access will be refused and documented in the medical notes.
  • The Clinical Lead will liaise with Child Safeguarding teams if appropriate Online proxy access will also be turned off when a child turns 13. Access can be turned back on by following the processes set out above governing access to adults

15. Coercion

• • Coercion is the act of governing the actions of another by force or by threat, to overwhelm and compel that individual to act against their will.
  • Online access to records and transactional services provides new opportunities for coercive behaviour.
  • If the practice suspects coercive behaviour for either an individual or proxy access application, then access will be refused and documented in the medical notes. The Clinical Lead will liaise with CCG Safeguarding Team, if appropriate.

16. Former NHS Patients Living Outside the UK

• • Patients no longer resident in the UK still have the same rights to access their information as those who still reside here and must make their request for information in the same manner. Original health records should not be given to an individual to take abroad with them, however, the Practice may be prepared to provide a summary of the treatment given whilst resident in the UK.

17. Staff Training and Education

    • All staff at the practice will be required to read the policy and confirm their understanding.
    • The Data Security e-learning programme has been designed to support staff in health and social care Level 1 – Data security awareness:
    • This course is mandated for everyone working in health and care. It has been designed to inform, educate and upskill staff in data security and information sharing. It provides an understanding of the principles and importance of data security and information governance. It looks at staff responsibilities when sharing information and includes a section on how to act to reduce the risk of breaches and incidents.

18. Disputes Concerning Content of Records

• • Once access to medical records has been granted patients often dispute their accuracy or lack understanding of the medical codes that are held in the records.
  • Patients notice and point out errors in their record these may be unexpected third-party references or entries they object to or want deleted. The right of rectification and deletion are now a right under the UK GDPR.
    • Reception Staff will pass on any queries to the Practice Manager who will contact the patient and the Practice Manager will investigate to identify the source and extent of the problem.
    • The Practice Manager will then decide on the most appropriate action. Where the dispute concerns a medical entry the clinician who made the entry should be consulted. Consideration should be given as to whether it is appropriate to change or delete an entry. It is not always possible or practical to contact the clinician who made the entry and in this case the practice Clinical Lead should be consulted. Where a decision is taken not to amend the records an explanation should be given to the patient outlining the reasons why.
  • If a patient wishes to apply their UK GDPR 2021 rights of
    • Rectification (Article 16 UK GDPR)
    • Erasure (Article 17 UK GDPR)
    • Restriction of Processing (Article 18 UK GDPR)
    • Data Portability (Article 20 UK GDPR)
  • Please contact the practice Data Protection Officer, Sharon Forrester-Wild at DPO.Healthcare@nhs.net.
  • If the patient further disputes the accuracy once a decision has been made they will be referred to the complaints procedure and/or the Health Ombudsmen.

19. Complaints

• • The practice has procedures in place to enable complaints about access to health records requests to be addressed. Please refer to our practice complaints policy.
  • All complaints about Access to Records should be referred to the Practice Manager in the first instance or Data Protection Officer, Sharon Forrester-Wild at DPO.healthcare@nhs.net or 01270 275217.
  • If the patient wishes to make a further complaint, they have the right to do so and should be informed of the NHS complaints procedure.
  • https://ico.org.uk/make-a-complaint/data-protection-complaints/ or Sometimes the patient may wish to seek independent Legal advice from a Solicitor.

20. Application Length

• • Requests for health records information should be fulfilled within one month (unless under exceptional circumstances – the applicant must be informed where a longer period is required – up to two months extension can be requested – but must be requested from the patient within the first month). Information given should be in a manner that is intelligible to the individual.
  • Due to the time required to process requests for Detailed Coded Records Access each practice will process applications within 28 working days from date of application. In some circumstances there may be a delay in access to records. Where a longer period is anticipated the patient should be informed.

FAQs

What format should the response be provided in?

Where a request is received by electronic means, unless otherwise stated by the data subject, the information must be provided in a commonly used electronic format.

What are the penalties for non-compliance with the statutory timeframe?

The penalties are still at the discretion of the ICO. However, for non-compliance the financial penalties are now much greater.

What should you do if you identify that you have received a SAR?

Incoming SARs should be passed on immediately to the Practice Manager, where they will be logged, acknowledged, and processed. If you receive a Subject Access Request, and records are altered with intent to prevent disclosure, this will be committing a criminal offence, and will be punishable by a fine.

This privacy notice explains why Tudor Surgery, hereafter known as ‘the Organisation’, collects information about you, how it is kept secure and how that information is used.

This notice will explain:

• Why we collect your information, what is collected and how we use it
• How we keep your information safe and secure
• Why we share your information and who with
• How to opt out of sharing your data
• Your data rights under UK GDPR 2021
• How long we can legally keep your information
• The lawful basis for processing your personal and sensitive information
• How to complain

Introduction

The General Data Protection Regulation (GDPR) became law on 25 May 2018. This regulation protects the personal and sensitive data of a living individual. It is currently known as the UK GDPR 2021 after the United Kingdom withdrew from the European Union on 31 January 2020.

As your registered GP organisation, we are the data controller for any personal and sensitive data we hold about you. We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

• Data Protection Act 2018
• The GDPR 2016 and UK GDPR 2021
• The Human Rights Act 1998
• Common Law Duty of Confidentiality
• Health and Social Care Act 2012
• NHS Codes of Confidentiality, Information Security and Records Management
• The Caldicott Principles

Why do we collect your information?

Healthcare professionals within the NHS and who provide you with care are required by law to maintain your medical records with details of any care or treatment you received. This information will be used to aide clinicians to make decisions, either individually or jointly, about your health and to make sure it is safe and effective. Other reasons include:

• Looking after the health of the public
• Development of future services to better serve the organisation population
• We will share pseudonymised data so the NHS has access to statistics to its performance and activity
• To help us investigate patients’ concerns, complaints or legal claims
• Allow clinicians to review their service of care to ensure it is of the highest standards, and provide a basis of further training of care is not as expected
• Patient medication reviews undertaken by a healthcare professional
• Research Ethics Committee approved research (patient consent will be required)

What information do we collect?

The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously or elsewhere (eg NHS hospital Trust, another GP surgery, Out of Hours service, Accident & Emergency Department, etc). These records help to provide you with the best possible healthcare.

Information we hold about you may include the following:

• Your personal details, ie address, next of kin, contact details, details of those with proxy access, email address
• Contact you have had with the surgery, ie appointments including what kind of appointment, who it was with and what happened during
• Reports about your health, treatment and care
• Results of investigations, ie laboratory test results, x-rays, scan results, etc
• Relevant information from other health professionals, relatives or those who care for your, or information provided to the surgery by you (including information you provide via our surgery website).
• Recordings of telephone conversations between you and the organisation.

How do we keep your information safe and secure?

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it.

We will not disclose your information to any third party without your permission unless there are exceptional circumstances, or where the law requires information to be passed on, for example:

• We believe you are putting yourself at risk of serious harm
• We believe you are putting a third party (adult or child) at risk of serious harm
• We have been instructed to do so via court order made against the organisation
• Your information is essential for the investigation of a serious crime
• You are subject to the Mental Health Act (1983)
• UK Health Security Agency and Office for Health Improvement and Disparities needs to be notified of certain infectious diseases
• Regulators use their legal powers to request your information as part of an investigation

Our organisation policy is to respect the privacy of our patients, their families and our staff, and to maintain compliance with the UK GDPR and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

All employees must sign a confidentiality agreement as part of their condition of employment. We also ensure that data processors who support us are legally and contractually bound to operate and prove security arrangements are in place where data which could or does identify a person are processed.

Third party processors include:

• Companies which provide core IT services and support to the organisation and its clinical systems
• Systems which manage patient facing services (PFS) – NHS app, MyGP, the organisation website, data hosting service providers, appointment booking systems, electronic prescription services, document management services, text messaging services etc
• Clinical systems (EMIS Web/TPP – SystemOne)
• For more information, please see ‘Data Processors’ below

We will email or text you regarding matters of medical care, such as appointment reminders and, if appropriate, test results, unless you have separately given the organisation your explicit consent to do so. We maintain our duty of confidentiality to you and will only use or share information with others if they have a genuine need for it.

We will not share your information to a third party without your permission, unless there are exceptional circumstances, ie life and death, or where the law requires us to share your information.

Why do we share your information, and who do we share it with?

Confidential patient data will be shared within the healthcare team at the organisation, including nursing staff, administration staff (prescription, secretaries, reception, finance) and with other healthcare professionals to whom a patient is referred.

Data processors

The organisation uses data processors to perform certain administrative tasks for us, particularly where these involve large numbers of patients. Details of the data processors are listed below:

• Companies that provide IT services and support, including our core clinical systems which manage patient facing services (such as our website and service accessible through the same), data hosting service providers, systems which facilitate appointment bookings or electronic prescription services, prescribing decision support services, document management services.
• The systems that are contracted to maintain and store on our behalf are:
  • EMIS Web
  • Docman clinical systems
  • Accurx
  • Patchs
  • Scripswitch
• National screening programmes – The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These screen programmes include:
  • eg bowel cancer, breast cancer, cervical cancer, aortic aneurysms, diabetic eye screening, etc
• Research projects – Where research involves accessing or disclosing identifiable patient information, we will only do so with your explicit consent and with approval from the Research Ethics Committee, or where we have been provided with special authority to do so with consent.
• Medicines Management Reviews – The Medicines Management Reviews service performs a review of prescribed medication to ensure patients receive the most appropriate up to date and cost-effective treatments. If you decide to object to this, please contact the Organisation Manager; however, be aware that the result may cause a delay in the timely provision of your direct care.
• Risk stratification – The Secretary of State for Health and Social Care has granted permission for personal data to be used for the purposes of risk stratification. This is because it would take too long to carry out a manual review of all patients. The following information is used for risk stratification:
  • Age
  • Gender
  • NHS number
  • Diagnosis
  • Existing long-term condition(s)
  • Medication history
  • Patterns of hospital attendance
  • Number of admissions to A&E
  • Periods of access to community care
    • This information will be used to:
      • Decide if a patient is a greater risk of suffering from a particular condition
      • Prevent an emergency admission
      • Identify if a patient needs medical help to prevent a health condition from deteriorating
      • Review and amend the provision of current health and social care services.

Data sharing schemes

Several data sharing schemes are active locally, enabling healthcare professionals working outside of the surgery to view information from your GP record. A list of these schemes can be obtained by writing to the Dr Keith Malone and asking for the information under the Freedom of Information Act 2000.

• Summary Care Record – NHS England have also created a Summary Care Record which contains information about medication you are taking, allergies you suffer from and any bad reactions to medication that you have had in the past.

The shared record means patients do not have to repeat their medical history at every care setting.

Your record will be automatically setup to be shared with the organisations listed above, however you have the right to ask your GP to stop your record from being shared or only allow access to parts of your record.

Your electronic health record contains lots of information about you. In most cases, particularly for patients with complex conditions and care arrangements, this means that you get the best care and means that the person involved in your care has all the information about you. The shared record means patients do not have to repeat their medical history at every care setting.

Mandatory disclosure of information

We are sometimes legally obliged to disclose information about patients to relevant authorities. In these circumstances the minimum identifiable information that is essential to serve that legal purpose will be disclosed.

The organisation will also have a professional and contractual duty of confidentiality. Data will be anonymised if possible before disclosure if this would service the purpose for which the data is required.

Organisations which we are legally obliged to release patient data to include:

• NHS Digital (eg the National Diabetes Audit)
• Care Quality Commission (CQC)
• Driver and Vehicle Licensing Agency (DVLA)
• General Medical Council (GMC)
• His Majesty’s Revenue & Customs HMRC)
• NHS Counter Fraud
• Police (mandatory or vital interest requests)
• The Courts
• UK Health Security Agency and Office for Health Improvement and Disparities
• Local Authorities (Social Services)
• The Health Service Ombudsman
• Medical defence organisation – in the event of actual or possible legal proceedings

Permissive disclosure of information

The organisation can release information from your medical records to relevant organisations, only with your explicit consent. These include:

• Your employer
• Insurance companies
• Solicitors
• Local Authorities (the Council)
• Police (non-mandatory requests)
• Community services – district nurses, rehabilitation services, telehealth and OOH hospital services
• Child health services which undertaken routine treatment or health screening
• Urgent care organisations, minor injury units
• Community hospitals
• Palliative care hospitals
• Care homes
• Mental health Trusts
• NHS hospitals
• Social care organisations
• NHS commissioning support units
• Independent contractors, ie dentists, opticians, pharmacists
• Private sector providers
• Voluntary sector providers
• Local ambulance Trust
• Integrated Care Board
• Education services
• Fire and Rescue services

Don’t want to share your information?

You have the right to withdraw your consent at any time for any instance of processing, provided consent is the legal basis for the processing. Please contact your GP Organisation for further information and to raise your objection.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.

Your organisation has systems and processes in place to comply with the National Data Opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

To find out more or to register your choice to opt out, please visit https://www.nhs.uk/your-nhs-data-matters/ or telephone 0300 3035678. On the webpage you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply, i.e. where here is a legal requirement or where it is in the public interest to share (go to more exemptions for further information)

You can also find out more about how patient information is used at:

• https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research).
• https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Legal basis for processing your personal data

We need to know your personal, sensitive, and confidential data so that we can provide you with healthcare services and advice. Under the UK General Data Protection Regulation (UK GDPR) there are different reasons why we may process your data, however we mostly rely upon:

Article 6(1)(e): Official Authority; and

Article 9(2)(h): Provision of health

For much of our processing, in particular:

• Maintaining your electronic GP record
• Sharing information from, or allowing access to, your GP record, for healthcare professionals involved in providing you with direct medical care
• Referrals for specific healthcare purposes
• The NHS data sharing schemes
• Our data processors
• Organising your prescriptions, including sending them to your chosen pharmacist
• Some permissive disclosures of information

We also rely upon:

• Article 6(1)(d): Vital interests – to share information with another healthcare professional in a medical emergency
• Article 6(1)(c): Legal obligation – Mandatory disclosure of information to NHS Digital and CQC, etc
• Article 6(1)(a): Consent – Certain permissive disclosures of information, ie insurance companies
• Article 9(2)(j): Research – for accredited research undertaken in the surgery, with your explicit consent.

Your data rights

The UK GDPR allows you to ask for any information the organisation holds about you, including your medical records. It also allows you to ask the organisation to rectify any factually inaccurate information and object to how your information is shared with other organisations (opt-out).

Data being used or shared for purposes beyond individual direct care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Right of access

The organisation holds both personal and sensitive data (health records) about you. If you need to review a copy of your historical medical records, you can contact the surgery to make a ‘Subject Access Request’. Please note, if you receive a copy, there may be information that has been hidden. Under UK GDPR the organisation is legally permitted to apply specific restrictions to the released information. The most common restrictions include:

• Information about other people (known as ‘third party’ data) unless you provided the information, or they have consented to the release of their data held within your medical records
• Information which may cause serious physical or mental harm to you or another living person. For some Subject Access Request cases, a GP will perform a ‘serious harms test’. If the GP has any cause to believe that specific information will cause you or someone else serious harm, it will not be released.

Right to rectification

You have the right to have any factual inaccuracies about you in your medical record corrected. Please contact the surgery with your request.

Right to object

If you do not wish to share your information with organisations who are not responsible for your direct care, you can opt-out of the sharing schemes. For further information about opting out, please visit Your NHS Matters.

Right to withdraw consent

Where the organisation has obtained your consent to process your personal data for certain activities, (eg preparation for a subject access request for a third party), you have the right to withdraw your consent at any time.

Your access to your future health records

Since 1 November 2023, if you have online access to your medical records, you will have access to your full records (from 1 November 2023).  This means you will have access to free texts, letters, and documents once they have been reviewed and filed by the GP. Please note that this will not affect proxy access.

If you move organisation, access to your full medical records will commence from the date you register with the new organisation.

There will be limited legitimate reasons why access to prospective medical records will not be given or will be reduced and they are based on safeguarding. If the release of information is likely to cause serious harm to the physical or mental health to you or another individual, the GP could refuse or reduce access to prospective records; third party information may also not be disclosed if deemed necessary. On occasion, it may be necessary for a patient to be reviewed before access is granted, if access can be given without a risk of serious harm.

What should you do if your personal information changes?

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect for this to be amended. You have a responsibility to inform us as soon as possible of any changes so our records are accurate and up to date for you.

How long will we store your data?

The NHS Records Management Code of Organisation 2021 identifies will replace the 2016 version. specific retention periods which are listed in Appendix II: Retention Schedule.

How can you complain?

If you have any concerns about how your data is managed, please contact the Organisation’s Manager in the first instance.

For independent advice about data protection, privacy and data sharing issues, you can contact the ICO at:
The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire,
SK9 5AF

Tel: 0303 123 1113
Web: www.ico.org.uk

Further information

If you have any concerns about how your data is shared or would like to know more about your rights in respect of your personal data held by the organisation, please contact the Data Protection Officer.

Data Protection Officer

Any queries about data protection issues should be addressed to:

Sharon Forrester-Wild
Email: DPO.healthcare@nhs.net
Tel: 07946 593082

Changes to our privacy policy

We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes.

Download our Records Management Code of Practice policy.

What is a Subject Access Request?

A subject access request (‘SAR’) is a request made by a natural living individual, also known as the ‘data subject’. The data subject can request a copy of their medical records from the practice (or other medical service provider) under a SAR. The information can include computerised records, letters, notes, recorded telephone conversations and emails.

The practice has one calendar month in which to comply with the request, although this can be extended to three months in the event the collection, collation and production of a SAR is complex. The practice must notify the data subject whether an extension is required to comply with their request for their medical records.

How is a Subject Access Request made?

Requests can be made in writing, on an in-house form, on the practice’s social media site(s) or orally to any member of staff.  Recognising a SAR and following the practice’s procedure is the responsibility of every member of staff, making practice-wide understanding of the process vital.

Who can make a Subject Access Request?

Only the data subject, to whom the information pertains, can apply for a SAR; however, the data subject can employ or ask a third party to make the request on their behalf. The third party making the request is known as the ‘representative’. A representative can be either another person or an organisation, usually a solicitor. In each case, the practice must satisfy itself regarding the identity of the data subject and the authenticity of the consent provided to the representative to make the request on their behalf.

The request is made in person

If the request is made in person, either verbally or via a hard copy of an in-house request form, staff must ask for sight of the data subject’s identification.

The request is made over the telephone

If the request was made over the telephone, staff can ask some security questions (such as providing matching identifiers to those in the medical records); however, if staff wish for further clarification it would not be remiss to request the data subject to present to the practice with their identification.

The request is made in writing

If the request is made in writing, including via social media, staff must satisfy themselves that it is the data subject making the request; again, this can be done either over the telephone (security questions) or request they present to the practice with proof of identify.

The request is made via a representative

The data subject can make a request via a representative, either someone known to them or a legal representative such as a firm of solicitors. These SAR applications must be accompanied by the data subject’s consent which allows the representative to make the request on their behalf. It will be necessary to confirm with the data subject that they have consented for a representative the make a SAR application on their behalf.

Preparing a Subject Access Request

Whilst any employee can receive a SAR, not every employee can prepare one. The task of collection and collation of the medical records prior to the production of a SAR will be the remit of staff identified by the practice to undertake the task.

On receipt of a SAR from the identity of the data subject or their representative, clarification of the request must be made. This task is undertaken because data subjects have little comprehension of the amount and type of personal and special category data held in their medical records.

It is common to receive a SAR requesting the data subject’s full medical records. This may happen because the data subject may be unaware of targeted SARs (TSAR). A targeted SAR provides the medical records within a specified timeframe, for example the last 5 years; or a specific condition, such as musculoskeletal conditions. Clarifying the request with the data subject can reduce the practice’s workload; however, the practice must not attempt to sway the data subject to apply for a targeted SAR if the data subject is clear they would like a copy of their full medical record.

Once satisfactory identification of the data subject (photographic identity, such as a driving licence or passport, or a proof of address and a bank card) and clarity of their request is established, the SAR can be produced.

Redacting Prior to Release

The Information Commissioner’s Officer (‘ICO’) states that when determining whether it is reasonable to disclose information, the controller (the practice) must consider:

1. The type of information that is to be disclosed
2. Any duty of confidentiality owed to the other individual (third party)
3. Steps taken to seek consent from the other individual
4. Whether the individual can give consent
5. Any express refusal of consent by the other individual

Third party identifiers

Third party identifiers (‘TPI’) include the names of parties other than the data subject and healthcare professionals; they also include the roles, such as wife, husband, brother, daughter, friend, neighbour, boss, etc. TPIs also include any information which may help to identify third parties, for example: Mrs Smith’s husband works as a butcher on High Street in the town. This sentence identifies the third party’s relationship to the data subject, as well as his occupation and location of employment. If the TPI ‘husband’ was removed, the remaining information would enable someone to identify the third party, and therefore must be redacted.

Although the removal of third party identifiers needs to be undertaken, there are other considerations to be mindful of when redacting.

Information provided by third parties

Information provided by third parties is not information provided by the data subject; therefore, it must be redacted. For example: A mother is concerned about her son’s anti-social behavior which is exacerbated by his intake of excessive alcohol. She speaks to her son’s doctor about her concerns and her son’s issues. In this example, the consultation is a ‘third party consultation’ and must be redacted prior to releasing the medical records to the data subject.

Legal professional privilege

If a SAR has been made for the purpose of gathering the medical records of a data subject contemplating litigation against the practice, legal professional privilege exemption can be used to restrict access to personal data contained within documents.

There are two types of legal professional privilege:

1. Litigation privilege: This relates to communication pertaining to contemplated litigation which is either a real prospect of there is a likelihood.
2. Advice privilege: This applies where no litigation is in progress or contemplated. It is communication where legal advice has been sought or given.

For example: Correspondence from the data subject’s legal representative requesting a copy of the medical records because the data subject is seeking to make a claim against the practice (litigation privilege).

‘Do not release without the consent of the author’

Some documents instruct non-disclosure without the author’s authorisation. These are applied to sensitive reports and can include medico-legal reports, psychiatric reports (especially if the patient has been sectioned) and community multi-disciplinary team reports. Compliance with the author’s instruction must be adhered to.

Multi-Agency Risk Assessment Conference (MARAC) forms

MARAC forms are minutes of community multi-disciplinary team meetings and concern whole families, not a single data subject. Their contents must not be released to the data subject or their representatives.

Non-medical information

Medical records also contain documents received from non-medical sources; these include solicitors, insurance companies, the Department of Work and Pensions and the Police. They do not make up part of the medical records and must be redacted.

Non-relevant information

The data principle of data minimisation requires the information released to be limited for the purpose. If the practice is in doubt about the purpose of the request, contact the data subject. They are not obliged to inform you for the reason for the SAR application; however, most data subjects will divulge the purpose. It is increasingly common for legal representatives to request a copy of the data subject’s full medical records via the data subject themselves. A direct data subject SAR application would contain most of the contents of their medical records; however, a request direct from the data subject for use by their legal representative should focus on the information limited for purpose. If the purpose of the SAR application is in doubt provide the information to the data subject and inform them of their right to review their records and redact them as they see fit prior to them release them to their legal representative.

Storage of requests

The Records Management Code of Practice for Health and Social Care 2016 states the following storage periods prior to destruction of a SAR application:

1. If a SAR application has been made for the purpose of litigation, the information must be retained for 10 years after the whole process has ceased, including the litigation. These requests must not be kept on file.
2. If a SAR application was not made for the purpose of litigation, the information must be retained for 3 years after the closure of the SAR.
3. If a SAR application was not made for the purpose of litigation but was there was a subsequent appeal, the information must be retained for 6 years after the closure of the appeal.

Disclosure of Information Requests

Introduction

Most employees who are responsible for dealing with requests for medical information are familiar with the Subject Access Request (SAR) and the Access to Medical Reports Act (AMRA). These are the most common methods used to request the information; however, there are others which you must become familiar with to enable you to make the correct decision on what information to collate and how to release it. Below is a very brief outline of the different Acts used by patients, the patient’s representative and third parties to make a request.

Subject Access Request (SAR)

A SAR can be made to the practice for disclosure of medical records by a living patient or their representative. This information includes both computerised and paper records. The information must focus on the patient and be subjected to redaction of third-party identifiers and any information that may cause harm or distress to the patient or another individual.

The release of the finalised records will be subject to practice policy. Some practices will only release information directly to the patient, while other practices will release the information to the patient’s representative at the patient’s request. Whatever the practice policy is, the records must be available within one calendar month from the date the request was received by the practice, except for complying with complex requests where an extension of a further two calendar months is permitted under the General Data Protection Regulation (GDPR).

Access to Medical Reports Act (AMRA)

An AMRA is a request for a medical report made by a third party but is not the patient’s representative, for example an employer or an insurance company. These requests can only be processed if the practice is in receipt of the patient’s consent. Using the examples of the third parties (above) the reports are used to form part of the third parties’ risk assessment to determine if the patient is fit to undertake their role within their place of employment, or to determine the risk of insuring them.

The Act permits the patient to see the report before it is released. The practice must be informed of the patient’s intention to view the report. If the patient wishes to see the report, they have 21 days from the date of completion in which to do so. If they do not attend to view the report, it may be forwarded to the third party after the 21^st day. The patient is also allowed to comment and make amendments/corrections to the report prior to its release; however, these can only be accepted by the GP if the GP agrees with them.

As the report is a creation of new information, the practice is entitled to charge for the work.

Access to Health Records Act (AHRA)

An application for the medical records of a deceased patient must be made under AHRA. The records can be requested by:

• A personal representative (the executor or administrator of the deceased person’s estate); or
• Someone who has a claim resulting from the patient’s death (this could be a relative or someone else).

‘Next of kin’ is not a legal basis to request the medical records, nor justification to give them to someone. Requests made by the next of kin without any further reason for the request must be denied.

Only information directly relevant to a claim can be disclosed.

Once a deceased patient’s paper records have been returned to the Primary Care Support England (PCSE), the practice is no longer the data controller of the records; however, the practice retains the role of data holder of the electronic records.

If, whilst alive, the deceased patient asked for non-disclosure of their medical records, neither the practice nor the PCSE are permitted to release any information. Any request for non-disclosure must be marked on the patient’s clinical records.

Freedom of Information Act (FOIA)

The NHS is a public authority and is obliged to publish certain information about its activities. Any member of the public can request information from publish authorities; however, what they cannot do is request access to their personal data, nor request information pertaining to other people or organisations, for example an employee’s private information.

The FOIA request must be clear about what information is required. The practice must reply within 20 working days, with any extension period not exceeding 40 days.

A fee can be made for an FOIA for disbursements.

Section 251 of the NHS Act 2006 (S251)

S251 forms the legal basis for sharing patient identifiable information without the patient’s consent. Its application to a request for records is limited to a suite of programmes previously known as ‘confidential enquiries’. It allows the common law of duty to be temporarily lifted.

The safeguards for release include:

• The activity must be a medical purpose, ie medical research with ethics committee approval, and the management of health and social care services;
• The activity must be in the public interest or the interest of improving patient care;
• The activity must be compliant with the provisions of the Data Protection Act 2018; and
• All applications must undergo an annual review to evidence whether support is still necessary.

Disclosure of Information to the Police (Schedule 2(1)(2))

Patient information can be shared with the Police if it upholds the patient’s right to confidentiality and allows the Police to have sufficient and appropriate information to help with their enquiries. Both the Police and the practice must be able to justify the release of information being in the public interest. The request from the Police must be on a DP2 form and either signed by an officer of the rank of Inspector or above, or authorised by someone with the rank of Inspector or above (the authorisation must accompany the form).

The reasons for the Police to request records are varied, as is whether consent is required or not.